Oversight Committee Demands Government ScreenOS Audit
An influential Congressional committee has written to all major US government departments and agencies requesting an audit of computer systems to appraise how many were affected by the major security issue in Juniper Networks firewalls revealed last month.
Juniper claimed in a statement in December to have found “unauthorized code” in ScreenOS firmware powering its firewalls, which could allow attackers to gain administrative access to affected devices and achieve VPN decryption.
All organizations with NetScreen devices using ScreenOS 6.2.0r15 to 6.2.0r18, and 6.3.0r12 to 6.3.0r20 required admins to apply the patch issued promptly by the network giant.
Now the Committee on Oversight and Government Reform wants to know who’s running what, and whether they’ve taken the recommended security steps or not.
Although the committee only sent out the letters late last week, it has given the relevant departments until just 4 February – two weeks – to respond.
The letters in question ask whether the recipient agency/department uses the affected ScreenOS versions; how it discovered the vulnerability and whether any action was taken prior to Juniper issuing a patch; which specific version of ScreenOS is being used; and when the software patch was deployed.
In total, 24 agencies and departments have been sent letters, including the Department of Defense, State Department, NASA, the Office of Personnel Management (OPM), the Treasury and the SEC.
The committee is right to be anxious about the federal government’s cybersecurity posture, given it has previously been found wanting in this area.
Security shortcomings at the OPM, for example, led to the breach of over 21 million records of current and former government employees and their families, including details about security clearance requests.
It’s believed that this information may have been stolen by state-sponsored actors from China keen to use the information for intelligence purposes – some have speculated potentially to identify individuals who could be recruited as double agents.
Source: Information Security Magazine